Office of Inspector General slams department’s security program four years running
Monthly Archives: May 2022
Manage and Remediate Cloud Infrastructure Misconfiguration Vulnerabilities with Tenable.cs and HashiCorp Terraform Cloud
Cloud breaches are on the upswing due to preventable misconfigurations. Here’s how you can lower your risk with a new integration between Tenable.cs and Terraform Cloud.
Today’s cloud environments are highly dynamic with new updates continuously released into production and workloads scaling up and down based on customer demand. Within minutes cloud engineers can spin up and fully deploy resources to the cloud. But with increased speed many times comes increased risk. System vulnerabilities caused by misconfigurations are often overlooked and may remain undetected for months. As a result, cloud breaches are increasing in scale and velocity. Over 30 billion records were exposed in 200 breaches between 2018 and 2020 due to cloud infrastructure misconfigurations alone.
How can you reduce your chances of suffering breaches caused by cloud misconfigurations? In this post, we explain how Tenable and HashiCorp can help with this issue via a new integration between Tenable.cs and Terraform Cloud Run Tasks.
Introduction to cloud provisioning and Terraform
Cloud resource provisioning is a key aspect of deploying cloud workloads. Although most cloud providers have their own provisioning utilities, best-of-breed tools like Hashicorp Terraform offer benefits that go beyond what cloud providers offer. Using Terraform, an open-source Infrastructure as Code (IaC) tool, to provision infrastructure provides many benefits to the management and operations of your environment. HashiCorp Configuration Language (HCL) provides the ability to standardize reusable modules of infrastructure that can be used across projects and environments. When standing up infrastructure, Terraform reads the current state of your environment and determines any changes needed to configure the environment to the state defined in your IaC. This simplifies the process of managing complex architectures which can be fragile if manually maintained. IaC allows for the code to be version controlled and provides better visibility into how the infrastructure has been provisioned and configured.
Terraform key security considerations
Terraform also offers security benefits. The workflow around infrastructure provisioning can be used to protect your environment from security issues. When enforcing the use of IaC for any changes in your environment, code can be assessed to ensure that any security defects are detected and mitigated before infrastructure is provisioned. Security or operational guardrails can be codified and enforced through CI/CD pipelines, gates, or other automated means to ensure that your environment is compliant with your policies.
While using tools such as Terraform simplify managing infrastructure, it’s still common for critical misconfigurations of cloud infrastructure to happen. Key areas of concerns for vulnerability management for Terraform environments include:
Secrets Management: Terraform requires credentials in order to authorize any API actions necessary to provision the infrastructure specified in your code. Since these credentials provide privileged access to create, manage, and destroy your environment, care should be taken to ensure that they are not exposed to unauthorized people or processes.
System State Management: Terraform uses a state file to track the state of provisioned infrastructure resources. By default, the state file is stored on the local file system of the system where Terraform is executed. Persisting state files with your source code is a bad idea as these could contain secrets or other sensitive information.
Dependency Management: Terraform uses plugins called “providers” to interact with remote APIs for the resources defined in your code. These are downloaded to the system where Terraform is executed when performing the “terraform init” command. As providers manage powerful operations in your infrastructure, it is important to download these from trusted sources and confirm that they have not been tampered with prior to using them.
Drift Management: In any complex enterprise environment, manual changes can occur in runtime through “break the glass” mechanisms or other means. These changes cause a deviation, referred to as “drift,” between your runtime environment and what has been defined in your Terraform code. If not corrected in the source code, build teams will continue to use the old version and/or systems will no longer meet security requirements.
For more on Terraform security key considerations read the whitepaper “DevOps Guide to Terraform Security”.
Preventing Terraform vulnerabilities with Tenable.cs
Tenable.cs is a developer-friendly, Cloud-Native Application Security Platform (CNASP) that enables your organization to secure cloud resources, container images and cloud assets, providing end-to-end security from code to cloud to workload. To enforce best practices, you can evaluate your code using a static code analysis tool such as Terrascan. Terrascan is an open source project that was created by Tenable and is the underpinning scanning engine for Tenable.cs. Terrascan includes hundreds of policies across multiple providers written in the Rego language, and assesses for misconfigurations using the Open Policy Agent (OPA) engine. These policies can be extended to include any standards specific to your environment. To enforce these as part of your workflow, you can include a job as part of your CI/CD pipeline that uses Terrascan to scan any changes to your HCL files for security issues. If any issues are detected, the job will fail with an error message indicating that a security issue has been found that needs to be addressed.
Tenable.cs enables cloud operations and security teams to assess Terraform templates for policy violations. You can integrate cloud infrastructure security into the DevOps pipeline to prevent security issues from reaching production. You can also quickly remediate IaC misconfigurations directly in development tools to enforce policies in both build-time and runtime.
Failing Tenable.cs Policy for a Terraform template (Storage encryption not enabled on RDS instance)
Tenable.cs recommended remediation action to resolve failing policy. (Enable storage encryption in Terraform Template)
New! Enhanced automated remediation support with HashiCorp Terraform Cloud Run Tasks
Now Tenable is boosting its capabilities for securing Terraform with support for HashiCorp’s new Terraform Cloud Run Tasks. Terraform Cloud provides a hosted solution to build and deploy Terraform Templates. Using the new Terraform Cloud Run Tasks, you can leverage Tenable.cs to scan your Terraform Templates during the Terraform cloud deploy step. The integration allows Terraform Cloud customers to detect any security issues within their IaC using Tenable.cs as part of the planning phase of the Terraform execution. By adding this support for Terraform Cloud Run Tasks in Tenable.cs, we’re helping developers detect and fix compliance and security risks in their IaC so they can mitigate issues before cloud infrastructure is provisioned.
Additionally, knowing the exact remediation steps can be time intensive and challenging. That’s why remediation recommendations are provided as part of the integration, in the form of a pull request to the source code repository associated with the Terraform workspace, to help with fixing issues found in Terraform templates before they are provisioned. Customers can leverage over 1,500 policies in the Tenable.cs commercial offering to perform deep scans in Terraform Cloud. Users interested in viewing the setup guide on how to connect Tenable.cs with Terraform Cloud Workspace can find detailed documentation here.
To learn more about Tenable.cs view the data sheet or access the on-demand webinar “Introducing Tenable.cs: Secure Every Step From Code to Cloud”.
GitHub to mandate 2FA for all code contributors by 2023
GitHub has announced its largest-ever push toward two-factor authentication (2FA). The world’s leading development platform said it will require all code-contributing users to enroll in 2FA by the end of 2023 to enhance the security of developer accounts and bolster security within the software supply chain. Given the number of developers and enterprises on the platform, GitHub’s move is significant with the risks surrounding software supply chains continuing to threaten and expose organizations more than a year after the infamous SolarWinds Sunburst attack.
freetype-2.10.4-6.fc34
FEDORA-2022-5e45671294
Packages in this update:
freetype-2.10.4-6.fc34
Update description:
Security fix for CVE-2022-27404, CVE-2022-27405 and CVE-2022-27406.
freetype-2.11.0-6.fc35
FEDORA-2022-80e1724780
Packages in this update:
freetype-2.11.0-6.fc35
Update description:
Security fix for CVE-2022-27404, CVE-2022-27405 and CVE-2022-27406.
Instagram Hack Results in $1 Million Loss in NFTs
Imagine – your favorite brand on Instagram just announced a giveaway. You’ll receive a free gift! All you have to do is provide your credit card information. Sounds easy, right? This is a brand you’ve followed and trusted for a while now. You’ve engaged with them and even purchased some of their items. The link comes directly from their official page, so you don’t think to question it.
This is the same mindset that led to several Bored Ape Yacht Club (BAYC) NFTs being stolen by a cybercriminal who had hacked into the company’s official Instagram account. Let’s dive into the details of this scam.
Sneaking Into the Bored Ape Yacht Club
Bored Ape Yacht Club, the NFT collection, disclosed through Twitter that their Instagram account had been hacked, and advised users not to click on any links or link their crypto wallets to anything. The hacker managed to log into the account and post a phishing link promoting an “airdrop,” or a free token giveaway, to users who connected their MetaMask wallets. Those who linked their wallets before BAYC’s warning lost a combined amount of over $1 million in NFTs.
Despite the large price tag attached to NFTs, they are often held in smartphone wallets rather than more secure alternatives. MetaMask, the crypto wallet application, only allows NFT display through mobile devices and encourages users to use the smartphone app to manage them. While it may be a good method for display purposes, this limitation provides hackers with a new and effective way to easily steal from users’ mobile wallets.
BAYC does not yet know how the hacker was able to gain access to their Instagram account, but they are following security best practices and actively working to contact the users affected.
N.F.T. – Not For Taking
This scam was conducted through the official BAYC account, making it appear legitimate to BAYC’s followers. It is incredibly important to stay vigilant and know how to protect yourself and your assets from scams like these. Follow the tips below to steer clear of phishing scams and keep your digital assets safe:
Ensure wallet security
A seed phrase is the “open sesame” to your cryptocurrency wallet. The string of words is what grants you access to all your wallet’s assets. Ensuring that your seed phrase is stored away safely and not easily accessible by anyone but yourself is the first step to making sure your wallet is secure.
Protect your privacy
With all transactional and wallet data publicly available, scammers can pick and choose their targets based on who appears to own valuable assets. To protect your privacy and avoid being targeted, refrain from sharing your personal information on social media sites or using your NFT as a social media avatar.
Look out for phishing scams
Phishing scams targeting NFT collectors are becoming increasingly common. Be wary of any airdrops offering free tokens in exchange for your information or other “collectors” doing the same.
Phishing scams tend to get more sophisticated over time, especially in cases like the Bored Ape Yacht Club where the malicious links are coming straight from the official account. It is always best to remain skeptical and cautious, but when in doubt, here are some extra tips to spot phishing scams:
Is it written properly? A few spelling or grammar mistakes can be common, but many phishing messages will contain glaring errors that professional accounts or companies wouldn’t make. If you receive an error-filled message or promotion that requires giving your personal information, run in the other direction.
Does the logo look right? Scammers will often steal the logo of whatever brand or company they’re impersonating to make the whole shtick look more legitimate. However, rarely do the logos look exactly how they’re supposed to. Pay close attention to any logo added in a message or link. Is the quality low? Is it crooked or off-center? Is it almost too small to completely make out? If yes, it’s most likely not the real deal.
Is the URL legit? In any phishing scam, there will always be a link involved. To check if a link is actually legitimate, copy and paste the URL into a word processor where you can examine it for any odd spelling or grammatical errors. If you receive a strange link via email, hover over it with your mouse to see the link preview. If it looks suspicious, ignore and delete it. Even on mobile devices, you can press and hold the link with your finger to check out the legitimacy of the URL.
As crypto and NFTs continue to take the world by storm, hackers and scammers are constantly on the prowl for ways to steal and deceive. No matter the source or how trustworthy it may seem at first glance, always exercise caution to keep yourself and your assets safe!
The post Instagram Hack Results in $1 Million Loss in NFTs appeared first on McAfee Blog.
UK to Place Security Requirements on App Developers and Store Operators
Under the proposals, all app stores would be required to commit to a new code of practice
USN-5402-1: OpenSSL vulnerabilities
Elison Niven discovered that OpenSSL incorrectly handled the c_rehash
script. A local attacker could possibly use this issue to execute arbitrary
commands when c_rehash is run. (CVE-2022-1292)
Raul Metsma discovered that OpenSSL incorrectly verified certain response
signing certificates. A remote attacker could possibly use this issue to
spoof certain response signing certificates. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-1343)
Tom Colley discovered that OpenSSL used the incorrect MAC key in the
RC4-MD5 ciphersuite. In non-default configurations were RC4-MD5 is enabled,
a remote attacker could possibly use this issue to modify encrypted
communications. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1434)
Aliaksei Levin discovered that OpenSSL incorrectly handled resources when
decoding certificates and keys. A remote attacker could possibly use this
issue to cause OpenSSL to consume resources, leading to a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1473)
USN-5400-2: MySQL vulnerabilities
USN-5400-1 fixed several vulnerabilities in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated in Ubuntu 16.04 ESM to MySQL 5.7.38.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-38.html
https://www.oracle.com/security-alerts/cpuapr2022.html
USN-5401-1: DPDK vulnerabilities
Wenxiang Qian discovered that DPDK incorrectly checked certain payloads. An
attacker could use this issue to cause DPDK to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2021-3839)
It was discovered that DPDK incorrectly handled inflight type messages. An
attacker could possibly use this issue to cause DPDK to consume resources,
leading to a denial of service. (CVE-2022-0669)